Why can't I get a direct connection with Tailscale?

# Why can't I get a direct connection with Tailscale? I have the following configuration: ``` pi > home router > work router > aorus 192.168.1.160 90.89.201.88 92.154.18.143 172.31.4.240 ``` I have set up a port-forwarding rule on my home router: ``` 90.89.201.88:41641/udp -> 192.168.1.160:41641 ``` ![](https://hackmd.io/_uploads/B1Egu7Dyn.png) For some reason, when running `tailscale ping aorus` from pi, the packets are sent from the port 55886 instead of 41641. ```console $ sudo tcpdump -iany -n udp port 41641 09:23:35.821788 eth0 Out IP 192.168.1.160.55886 > 172.42.0.1.41641: UDP, length 124 09:23:35.821867 eth0 Out IP 192.168.1.160.55886 > 172.44.0.1.41641: UDP, length 124 09:23:35.821947 eth0 Out IP 192.168.1.160.55886 > 10.42.0.1.41641: UDP, length 124 09:23:35.822023 eth0 Out IP 192.168.1.160.55886 > 92.154.18.143.41641: UDP, length 124 09:23:35.822102 eth0 Out IP 192.168.1.160.55886 > 172.31.4.240.41641: UDP, length 124 09:23:35.822178 eth0 Out IP 192.168.1.160.55886 > 192.168.122.1.41641: UDP, length 124 09:23:35.822318 eth0 Out IP 192.168.1.160.55886 > 10.92.138.1.41641: UDP, length 124 09:23:35.822407 eth0 Out IP 192.168.1.160.55886 > 192.168.130.1.41641: UDP, length 124 ``` My doubts were confirmed when I went to the Tailscale UI: ![](https://hackmd.io/_uploads/S1IPwXDk2.png) ``` $ sudo journalctl -u tailscaled --since="1 day ago" | grep magicsock Mar 09 08:48:58 pi tailscaled[616]: magicsock: endpoints changed: 90.89.201.88:41641 (stun), 172.17.0.1:41641 (local), 172.18.0.1:41641 (local), 172.19.0.1:41641 (local), 192.168.1.160:41641 (local), [2001:db8:1::1]:41641 (local) Mar 09 09:07:52 pi tailscaled[193332]: magicsock: unable to bind udp4 port 41641: listen udp4 :41641: bind: address already in use Mar 09 09:07:52 pi tailscaled[193332]: magicsock: endpoints changed: 90.89.201.88:55886 (stun), 172.17.0.1:55886 (local), 172.18.0.1:55886 (local), 172.19.0.1:55886 (local), 192.168.1.160:55886 (local), [2001:db8:1::1]:55886 (local) ``` > unable to bind udp4 port 41641: listen udp4 :41641: bind: address already in use Do I have tailscale running twice? I restarted tailscaled on the pi, and it went back to 41641: ``` $ sudo systemctl restart tailscaled.service $ sudo journalctl -u tailscaled --since="5 minutes ago" | grep magicsock Mar 09 09:37:40 pi tailscaled[194545]: magicsock: endpoints changed: 90.89.201.88:41641 (stun), 172.17.0.1:41641 (local), 172.18.0.1:41641 (local), 172.19.0.1:41641 (local), 192.168.1.160:41641 (local), [2001:db8:1::1]:41641 (local) ``` This time, the direct connection was working! ```console # From pi. $ tailscale ping aorus pong from aorus (100.74.203.69) via 92.154.18.143:3997 in 20ms ``` ## Changing 41641 to something else I want two devices on my home network to be able to establish direct connections to aorus. ```bash # On pi. sudo vim /etc/default/tailscaled ``` Then: ```bash # Set the port to listen on for incoming VPN packets. # Remote nodes will automatically be informed about the new port number, # but you might want to configure this in order to set external firewall # settings. PORT="41642" # Extra flags you might want to pass to tailscaled. FLAGS="" ``` Then, I added a rule in my home router: ``` 90.89.201.88:41642/udp -> other-device:41642/udp ```

Read more

Reproducing cert-manager’s serviceAccountRef with Out-of-Cluster Vault Without Setting token_reviewer_jwt

Why the Kubernetes Auth Isn't Appropriate when Operating a Central Vault Instance, and Why the Vault JWT Auth Makes More

Fixing “403 Forbidden” GitHub Actions, Docker or Helm Push to GitHub Container Registry (GHCR)

Fixing “500 Certificate in an error state. Fix any errors, and then click Retry.” Blocking Renewal In cert-manager